Organizing OT security operations teams

The project gathered best practices in organizing security operations from ENCS members. It collected experiences from all monitoring deployments and pilots at members. A whitepaper was written covering:

the business case for OT security operations

the capabilities a security operations team needs

staffing of the security operations team

collaboration between IT and OT departments

possibilities for outsourcing.

Use cases based on risks

The project defined a set of risk-based monitoring use cases. Each use case describes defines all steps needed to implement:

which data should be gathered

how the data should be analysed

how analysts can respond to incidents

Each use case is also explicitly linked to the threats it mitigates. This allows grid operators to select use cases based on a risk assessment, so that analysts are not flooded by alerts.

A selection of five use cases was made that provide a starting point to set up monitoring. The use cases mitigate common major risks to SCADA systems. They can be implemented by small teams with moderate resources.

Market survey of OT security sensors

The project performed a market survey and evaluation of new security sensors for OT. Several vendors have developed network-based sensors that can detect vulnerabilities and intrusions in OT systems. A survey was held to compare the capabilities of these sensors.